Are you using a load balancer? Care to share details?

Are you using a load balancer?

I'd like to put a best practice together but would like some Community input. Usually the MWG is administered by one person/team, and the load balancer is administered by another. Having a best practice will make it easier for both sides to get the information they need.

ProxyHA (best practice here) on MWG is an option for a lot of environments, but there's always a place for external load balancers too.

If you have a load balancer, what mode are you using? In my experience the best experience was Direct routing or NAT mode, but there are limiting factors with network configuration.

I'm imagining that there is a 5 minute inactivity timeout, whereby the load balancer will send all traffic from a certain source IP to the same proxy until there is 5 minutes of inactivity (this is how MWG's built in ProxyHA works).

Re: Are you using a load balancer? Care to share details?

Two items, both on the LB:

Configure the LB Virtual IP (VIP) as layer 4 (L4). Some LBs will drop or alter HTTP fields in client-gateway connections. In some cases, these actions will result in web sites not working correctly or not working at all. These problems are difficult and time-consuming to diagnose and remediate.

Make sure that you're getting true client source IP addresses from the LB. Some LB configurations will put the source IP address in the X-Forwarded-For field instead of retaining the true source IP. While this usually works, there are some troubleshooting tools where true source IP is very important. This issue goes back to L4 vs. L7 VIPs.

Re: Are you using a load balancer? Care to share details?

msiemens wrote:

Two items, both on the LB:

Configure the LB Virtual IP (VIP) as layer 4 (L4). Some LBs will drop or alter HTTP fields in client-gateway connections. In some cases, these actions will result in web sites not working correctly or not working at all. These problems are difficult and time-consuming to diagnose and remediate.

Make sure that you're getting true client source IP addresses from the LB. Some LB configurations will put the source IP address in the X-Forwarded-For field instead of retaining the true source IP. While this usually works, there are some troubleshooting tools where true source IP is very important. This issue goes back to L4 vs. L7 VIPs.

To your point: we changed LB technology in the past few months and the new LB is 'proxying' the connection (thus hiding the real source ip) and inserting 'X-Forwarded-For' headers. It's fine 90% of the time (for example the logs have the proper source IP), but a real PITA when it comes time to do tcpdumps to resolve issues...

Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.